Re: [RESEND][PATCH] omapdrm: fix missing check on list iterator

From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
To: Xiaomeng Tong <xiam0nd.tong@gmail.com>,
	airlied@linux.ie, daniel@ffwll.ch
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
	dri-devel@lists.freedesktop.org
Subject: Re: [RESEND][PATCH] omapdrm: fix missing check on list iterator
Date: Thu, 14 Apr 2022 11:32:27 +0300	[thread overview]
Message-ID: <b2afddb7-13fc-9ed8-ad0f-fe5a33ee9da0@ideasonboard.com> (raw)
In-Reply-To: <20220414061410.7678-1-xiam0nd.tong@gmail.com>

Hi,

On 14/04/2022 09:14, Xiaomeng Tong wrote:
> The bug is here:
> 	bus_flags = connector->display_info.bus_flags;
> 
> The list iterator 'connector-' will point to a bogus position containing
> HEAD if the list is empty or no element is found. This case must
> be checked before any use of the iterator, otherwise it will lead
> to a invalid memory access.
> 
> To fix this bug, add an check. Use a new value 'iter' as the list
> iterator, while use the old value 'connector' as a dedicated variable
> to point to the found element.
> 
> Cc: stable@vger.kernel.org
> Fixes: ("drm/omap: Add support for drm_panel")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
> ---
>   drivers/gpu/drm/omapdrm/omap_encoder.c | 14 +++++++++-----
>   1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/gpu/drm/omapdrm/omap_encoder.c b/drivers/gpu/drm/omapdrm/omap_encoder.c
> index 4dd05bc732da..d648ab4223b1 100644
> --- a/drivers/gpu/drm/omapdrm/omap_encoder.c
> +++ b/drivers/gpu/drm/omapdrm/omap_encoder.c
> @@ -76,14 +76,16 @@ static void omap_encoder_mode_set(struct drm_encoder *encoder,
>   	struct omap_encoder *omap_encoder = to_omap_encoder(encoder);
>   	struct omap_dss_device *output = omap_encoder->output;
>   	struct drm_device *dev = encoder->dev;
> -	struct drm_connector *connector;
> +	struct drm_connector *connector = NULL, *iter;
>   	struct drm_bridge *bridge;
>   	struct videomode vm = { 0 };
>   	u32 bus_flags;
>   
> -	list_for_each_entry(connector, &dev->mode_config.connector_list, head) {
> -		if (connector->encoder == encoder)
> +	list_for_each_entry(iter, &dev->mode_config.connector_list, head) {
> +		if (iter->encoder == encoder) {
> +			connector = iter;
>   			break;
> +		}
>   	}

When does this bug happen? How do you get omap_encoder_mode_set() called 
for an encoder with a connector that is not valid?

>   
>   	drm_display_mode_to_videomode(adjusted_mode, &vm);
> @@ -106,8 +108,10 @@ static void omap_encoder_mode_set(struct drm_encoder *encoder,
>   		omap_encoder_update_videomode_flags(&vm, bus_flags);
>   	}
>   
> -	bus_flags = connector->display_info.bus_flags;
> -	omap_encoder_update_videomode_flags(&vm, bus_flags);
> +	if (connector) {
> +		bus_flags = connector->display_info.bus_flags;
> +		omap_encoder_update_videomode_flags(&vm, bus_flags);
> +	}
>   
>   	/* Set timings for all devices in the display pipeline. */
>   	dss_mgr_set_timings(output, &vm);

How does this fix the issue? You just skip the lines that set up the 
videomode, but then pass that videomode to dss_mgr_set_timings()...

  Tomi